WAGE: An Authenticated Cipher Submission to the NIST LWC Competition Submitters/Designers: Mark Aagaard, Riham AlTawy1, Guang Gong, Kalikinkar Mandal∗, Raghvendra Rohit, and Nusa Zidaric ∗Corresponding submitter: Email: [email protected] Tel: +1-519-888-4567 x45650 Communication Security Lab Department of Electrical and Computer Engineering University of Waterloo 200 University Avenue West Waterloo, ON, N2L 3G1, CANADA https://uwaterloo.ca/communications-security-lab/lwc/wage September 27, 2019 1Currently with Department of Electrical and Computer Engineering, University of Victoria, 3800 Finnerty Rd, Victoria, BC, V8P 5C2, CANADA Contents 1 Introduction6 1.1 Notation...................................7 1.2 Outline....................................8 2 Specification of WAGE 9 2.1 WAGE AEAD Algorithm..........................9 2.2 Recommended Parameter Set....................... 10 2.3 Description of the WAGE Permutation.................. 10 2.3.1 Underlying finite field........................ 10 2.3.2 The LFSR.............................. 11 2.3.3 The nonlinear components.................... 11 2.3.4 Description of the core permutation................ 12 2.3.5 Round constants.......................... 13 2.4 WAGE- -128 Algorithm.......................... 13 2.4.1AE Rate and capacity part of state.................. 14 2.4.2 Padding............................... 16 2.4.3 Loading key and nonce....................... 17 2.4.4 Initialization............................. 18 2.4.5 Processing associated data..................... 18 2.4.6 Encryption............................. 18 2.4.7 Finalization............................. 19 2.4.8 Decryption............................. 19 3 Security Claims 20 4 Design Rationale 21 4.1 Mode of Operation............................. 21 4.2 WAGE State Size.............................. 22 4.3 Choice of Linear Layer........................... 22 4.4 Nonlinear Layer of WAGE ......................... 23 4.4.1 The Welch-Gong permutation (WGP)............... 23 4.4.2 The 7-bit sbox (SB)......................... 23 4.5 Number of Rounds............................. 24 2 WAGE: Submission to the NIST LWC competition 4.6 Round Constants.............................. 25 4.6.1 Generation of round constants................... 25 4.7 Loading and Tag Extraction........................ 26 4.8 Choice of Rate Positions.......................... 28 4.9 Relationship to WG ciphers........................ 28 4.10 Statement.................................. 28 5 Security Analysis 29 5.1 Security of WAGE Permutation...................... 29 5.1.1 Differential distinguishers..................... 29 5.1.2 Diffusion behavior......................... 29 5.1.3 Algebraic degree.......................... 30 5.1.4 Self-symmetry based distinguishers................ 31 5.2 Security of WAGE- -128 ......................... 31 AE 6 Hardware Design And Analysis 32 6.1 Hardware Design Principles........................ 32 6.2 Interface and Top-level Module...................... 33 6.2.1 Interface protocol.......................... 34 6.2.2 Protocol timing........................... 37 6.2.3 Control phases........................... 39 6.3 Hardware Implementation Details..................... 42 6.3.1 State machine............................ 42 6.3.2 The WAGE datapath........................ 47 6.4 Hardware Implementation Results..................... 50 6.4.1 Tool configuration and implementation technologies....... 52 6.4.2 Implementation results....................... 52 7 Software Efficiency Analysis 55 7.1 Software: Microcontroller.......................... 55 A Test Vectors 61 A.1 WAGE Permutation............................. 61 A.2 WAGE- -128 ................................ 61 A.3 RoundAE Constants Conversion........................ 62 3 List of Figures 2.1 The state at i-th round of the WAGE permutation............ 14 2.2 Schematic diagram of the WAGE- -128 algorithm........... 16 2.3 Rate (shaded orange) and capacityAE (green) part of WAGE- -128... 17 AE 4.1 The LFSR for generating WAGE round constants............. 25 4.2 Generation of round constants....................... 26 6.1 Top-level WAGE module and the interface with the environment.... 34 6.2 Interface protocol.............................. 35 6.3 Timing diagram: loading and initialization during WAGE- -128 ... 37 6.4 Timing diagram: encryption during WAGE- -128 ...........AE 38 6.5 Timing of tag phase during WAGE- -128 AE................ 38 6.6 Phases and datapath operations......................AE 40 6.7 Control flow between phases....................... 43 6.8 Optimized control flow between phases.................. 43 6.9 State machine................................ 45 6.10 WAGE datapath............................... 47 6.11 The wage lfsr with multiplexers XOR and AND gates.......... 49 6.12 Area2 vs Throughput............................ 53 4 List of Tables 2.1 Recommended parameter set for WAGE- -128............. 10 2.2 Examples of conversion of the field elementsAE to HEX.......... 11 2.3 Hex representation of WGP ........................ 12 2.4 Hex representation of SB .......................... 13 2.5 Round constants of WAGE ......................... 15 3.1 Security claims of WAGE- -128 (in bits)................ 20 AE 4.1 Area implementation results for the defining polynomials fi(x) for F27 . 24 4.2 Loading into the shift register through data inputs D4, D3 and D0 ... 27 5.1 Minimum number of active sboxes for different primitive polynomials. 30 6.1 Interface signals............................... 33 6.2 Modes of operation............................. 33 6.3 Control table for datapath based on phases from Figure 6.6...... 42 6.4 Control table for WAGE .......................... 50 6.5 WAGE permutation hardware area estimate and implementation results 51 6.6 Tools and implementation technologies.................. 52 6.7 ASIC implementation results........................ 54 6.8 FPGA implementation results ......................... 54 7.1 Performance of WAGE on microcontrollers................ 56 i 1 A.1 Generation of the first five round constant pairs (rc1; rc0)........ 62 5 Chapter 1 Introduction WAGE is a 259-bit lightweight permutation based on the Welch-Gong (WG) stream cipher [22, 23]. It is designed to achieve an efficient hardware implementation for Authenticated Encryption with Associated Data (henceforth \AEAD"), while providing sufficient security margins. To accomplish this, the WAGE components and mode of operation are adopted from well known and analyzed cryptographic primitives. The design of WAGE, its security properties, and features are described as follows. WAGE nonlinear layer: WG permutation over F27 and a new 7-bit Sbox. The • WG cipher, including the WG permutation, is a well-studied cryptographic prim- itive and has low hardware cost. WAGE linear layer: An LFSR with low hardware cost and good resistance • against differential and linear cryptanalysis. WAGE security: Simple analysis and security bounds provided using automated • tools such as CryptoSMT solver [17] and Gurobi [14]. Functionality: Authenticated Encryption with Associated Data. • WAGE mode of operation: Unified sponge duplex mode [3] that has a stronger • keyed initialization and finalization phases. Security claims: Offers 128-bit security. Accepts a 128-bit key and 128-bit • nonce. Hardware performance: Efficient in hardware. Achieves a throughput of • 517 Mbps and has an area of 2900 GE in a 65 nm ASIC. Implementation results are presented for four ASIC libraries and two FPGAs along with parallel imple- mentations. Microcontroller performance: WAGE is implemented on three different micro- • controller platforms, namely ATmega128, MSP430F2370, and LM3S9D96 (Cotex M3). The best throughput for the permutation is achieved on LM3S9D96, which is 286:78 Kbps. 6 WAGE: Submission to the NIST LWC competition 1.1 Notation The following notation will be used throughout the document. Notation Description X Y; X Y; X Y Bitwise AND, XOR and concatenation of X and Y ⊕ jj X Y Finite field multiplication of X and Y ⊗ S 259 bit state of WAGE Sj, Sj;k stage j of state S and k-th bit of stage Sj, where j 0;:::; 36 and k 0;:::; 6 2 f g 2 f g Sr;Sc r-bit rate part and c-bit capacity part of S (r = 64; c = 195) F27 Finite field F27 f; ! Defining polynomial for F27 and its root, i.e., f(!) = 0 ` LFSR feedback polynomial WGP Welch-Gong permutation over F27 SB 7-bit Sbox i i rc1; rc0 7-bit round constants K; N; T key, nonce and tag k; n; t length of key, nonce and tag in bits (k = n = t = 128) block a 64-bit string AD; M; C associated data, plaintext and ciphertext (in blocks ADi;Mi;Ci) ` length of X in blocks where X AD; M; C X 2 f g Kbj; Nbj; Tbj 7-bit tuple of key, nonce, and tag, j = 0;:::; 17 WAGE- WAGE authenticated encryption algorithm AE WAGE- WAGE encryption E WAGE- WAGE decryption D 7 CHAPTER 1. INTRODUCTION 1.2 Outline The rest of the document is organized as follows. In Chapter2, we present the com- plete specification of the WAGEand summarize the security claims of our submission in Chapter3. In Chapter4, we present the rationale of our design choices and provide the detailed security analysis in Chapter5. The details of our hardware implementations and performance results in ASIC and FPGA are provided in Chapter6. In Chapter 7, we discuss the efficiency of WAGE on microcontroller implementations. Finally, we conclude with references and test vectors in AppendixA. 8 Chapter 2 Specification of WAGE 2.1 WAGE AEAD Algorithm WAGE is an iterative permutation with a state size of 259 bits inspired by the initial-